General Questions

I havn't checked the release notes of m0n0wall to see if this feature is complete, but it's so simple, i don't see how it couldn't work.

However, whenever I go to use it, it...does nothing.

My network is like this:

Internet
     Router (DHCP enabled)
           mom/dad/sister/brother
           m0n0wall
                  me

That is to say, my family connects to the internet using our in-home router's DHCP, they have no problems,  I have a monowall between myself and the uplink to the main router.  The monowall has DHCP Relay enabled.  DHCP Relay, to my understanding, is supposed to bump the m0n0wall's client DHCP requests transparently through the monowall and up to the main router so that the client lands in the same subnet mask as everyone else on the main router.  (DHCP Relay = lan side DHCP requests get routed to the WAN without shaping) 

The problem is this:

DHCP either does something else, and I'm flat out wrong, or it's simply not working.  It's just one button, it's not like I'm pushing the button incorrectly...I've tried everything, after I set DHCP Relay on, I save the settings and reboot the firewall (cold) just to be sure, but it acts the exact same way if Relay is on or not...it doesn't seem to make any difference.

Why is DHCP Relay being weird for me?


Now, for those of you out there who can't troubleshoot without knowing the back-story, here's what else is going on:

I have a few computers to my name, all of which I like to take care of and ensure their longevity.  This one, my iBook G4...my PC (windows XP based)  and my slap-dash last resort file server (windows XP based).  Before anyone looks down their nose at the idea of using XP on a server, consider that the server ONLY serves me, it's basicially a 1TB external harddrive that's TCP/IP based.  It has yet to crash, even once.  Now, my ultimate goal here is to setup a high speed monowall rig (1000-T WAN /  1000-T LAN) on an appropriate platform, a pentium 4 maybe...and then run my server though that m0n0wall.  The idea is that, by that point, i'd be serving more than just myself, and because I can't set up file permissions to any capacity, I figured it'd be easier to stick to OSes I understand and let monowall block off who wasn't on the "white list".  Essentially, monowall would be blocking anyone who wasn't already allowed to get in.

Why go through so much trouble to set it up this way?  I don't trust anyone in my house not to try to screw with my files when i'm not there.  So instead of using some whimped out software firewall (McAfee, Norton, Windows), I'd go with something with a community behind it.  Furthermore I can't stand McAfee or Norton, they've caused me enough pain as it is...

You misunderstand what DHCP relay is for. For it to work, your LAN needs to be on a different IP subnet, and the DHCP server you're forwarding to must have a second zone configured for your subnet.

In your case, what you want is to just setup your LAN side on a different subnet with the WAN on DHCP, and use m0n0wall's DHCP for your internal network.

Thanks for the reply, though I've been working like that and I havn't had the best results..


Main router looks like....192.168.0.1  (gateway, itself) so all of my family looks like 192.168.0.X

So what i've done, and what I think you're suggesting is that my m0n0wall's WAN IP would be 192.168.0.something....which is easily done....and normally I have my sub-m0n0wall lan setup as 20.1.0.X with ofcourse a subnet mask of 255.255.0.0

the problem still remains though that....as far as I can tell, if i'm on my mom's computer, there's not a chance that i'd be able to see any of my server's SMB shares (as they're behind the monowall from her standpoint)  which, like i briefly mentioned, it my ultimate goal.

I want to set up a high speed monowall device to be able to comb through all of the traffic going to my server.

Eventually, my network will look like this:

Server(monowall's lan side)

M0n0wall

The rest of my subnet, including wireless clients. (monowall's wan side)



Maybe I should reverse the wan and the lan side?  Either way it's done...I just want to have a m0n0wall block mac address/IP addresses that aren't white listed...part of the idea here is that I have a great wireless access point, so I don't care if people come in and borrow my internet once in a while, but unless I really know them, I don't want them to have access to my server's SMB shares.

It seems fundamentally flawed though because it looks like when m0n0wall acts as a router, it doesn't relay all unblocked traffic. it feels like m0n0wall blocks certain things by default..SMB (ports 130 and 131 for netbios lookup) looks like it's one of them because I have yet to get SMB sharing to go from one side of a monowall to the other.  I'm under the assumption that I'm just doing this all wrong with hopes that i'll figure it out someday.

Oh, so you want *some* access from the outside network to be allowed into your network. I misread that as you wanted to be completely blocked off.

First, you shouldn't use 20.x.x.x IP's on your internal network, that's a valid public IP range, you should only use IP's reserved in RFC 1918. And 20.1.0.x is a /24 (255.255.255.0), not /16 (255.255.0.0) as you put. But that's beside the point, as I'm about to recommend ditching your own subnet anyway.

Probably the best thing to do is to setup a filtering bridge, so everything can remain on the same subnet, which makes things like network browsing much easier to deal with, and you can still do firewalling. This describes this type of setup:
http://doc.m0n0.ch/handbook/examples-filtered-bridge.html

interesting, that example looks a bit more complex than what i have to work with though...for the purposes of this post, my setup will just be

my pc and rest of network <-> switch <-> monowall <-> server

this way, i should be able to set up monowall to allow only certain IPs or MAC addresses to open connections to the server

and thinking about it now (slightly more sober) it seems like the server would be best suited to a WAN side, as the lan side...should be connected to the lan....duh

the question arises though....from a client computer...such as my pc, when i try connect to my server, do i put in monowall's lan side address, wan side address (no?) or the server's lan ip address?   I'm hoping if monowall is set up as a filtered bridge, it'll be transparent, but i'm fairly sure nothing is that easy...

also, what's this you're saying about my subnet?  what IP's can I use?   i've been using 20.1.x.x for over a year now.....oops?

RFC 1918 - Address Allocation for Private Internets
http://www.faqs.org/rfcs/rfc1918.html

You should use something reserved there. You *can* use whatever you want, but you won't be able to communicate with the *real* 20.1.x.x network, which is assigned to Computer Sciences Corporation by ARIN.

What you want is the filtered bridge, it's not complicated at all. What's complicated is trying to get Windows browsing working cross-subnets, you're much better off avoiding that problem.

Your WAN interface has to point in whatever direction your default gateway is, so in this case the server has to be on the LAN side for routing purposes.

interesting indeed...i think for simplicity's sake i'll end up with the 10.0.0.0 setup with the CIDR of 8....either way it's no big deal i'm sure.

now....if the WAN IP of my server's monowall is setup as a DHCP client to another monowall (bear with me, this might start to sound absurd)

say..for example...

my house's main router...some solid dlink device, brings the internet in.....then, where i am two floors down, i'd have a monowall protecting my collection of computers (via a switch)...my pc..laptop...whatever....I'll call it mono1.....and mono1 would have a DHCP server setup on the lan side...duh...which, would in turn, issue a static IP to the wan port of my server's monowall, i'll call it mono2....


so let's say that mono1's lan ip address would be something like 10.0.0.1....a reasonable router/gateway address I think....and it then dishes out IPs to all of it's clients.....of which mono2 is included...so...mono2's wan IP could end up as 10.0.0.2 or 3...or whatever....(it doesn't matter too much because of how windows resolves computer names to IPs, right?).....so does this mean then...if i set up a filtering bridge....i'll have two seperate subnets?  10.0.0.x for mono1 and 10.1.0.x?  or what have you...   I thought if something was called a bridge it did exactly that and be largely transparent to the network....so the wan and lan of mono2 could be under the same subnet, but i get the feeling that won't fly even if it's bridging....


and this all leads me into one simple question......why on earth isn't there some way i can just have a little device on my network that just reads through tcp/ip packet headers and rips out the ones that come from certain IPs?  that's the only thing i'm trying to do here and so far this is the most simple solution i've been able to come up with...oye


thanks again for your suggestions and help

.....so does this mean then...if i set up a filtering bridge....i'll have two seperate subnets?  10.0.0.x for mono1 and 10.1.0.x?  or what have you...   

If you're using a /8 like you said above, 10.0.0.x and 10.1.0.x are the same subnet. With a /8, 10.x.x.x is all the same subnet. I would never suggest using a /8 subnet, you should never have more than 254 hosts on a single broadcast domain anyway so /24 is fine.

But to answer your question, you won't have two subnets, that's what I've been saying all along. It's a transparent bridge. You have the same subnet on both sides.

I thought if something was called a bridge it did exactly that and be largely transparent to the network....so the wan and lan of mono2 could be under the same subnet

Yes, that's precisely how it works.

and this all leads me into one simple question......why on earth isn't there some way i can just have a little device on my network that just reads through tcp/ip packet headers and rips out the ones that come from certain IPs?  that's the only thing i'm trying to do here and so far this is the most simple solution i've been able to come up with...oye

The filtering bridge is exactly that, and it's very easy to setup and a very simple solution. I could have setup 10 of them in the time I've spent to responding to this thread.

Just follow the document I linked.

my apologies, please forgive my thickness...often times while posting here i've been less than sober, but futhermore i've had pretty bad luck when it comes to networking so i just like to make everything perfectly clear...I thank you very very much for your help

once I come into money again I plan on donating heavily to the monowall project, i trust there's a pay pal donation option, lol, or perhaps i should just make a donation to you.

and yes, i'll refrain from using the 10.0.0.0/8 subnet, I got my CIDRs mixed up in a moment of drunkeness (i assume) and went for the wrong CIDR...i'll stick with a more sensible one for the time being.

you've been incredibly helpful indeed...i only wonder now when i first mentioned DHCP relay...(this got way off topic, didn't it?)  you said i'd have to set up a seperate subnet on the primary router...or something to that effect..were you refering to a matter of static vs. dynamic allocation ranges or something else?

Man, lay off the forums and the liquor. 

paypal@chrisbuechler.com if you would like to contribute directly to me, otherwise Manuel does have an account as well, listed on the site, for general project contributions.

As for DHCP relay, it's a way to service multiple IP subnets with a single DHCP server. DHCP requests are broadcasts - so they don't cross subnets. A DHCP relay, or DHCP helper address as it's called in some routers, picks up the DHCP request, tags it with the IP of the interface it originated on (so the DHCP server knows what subnet to assign an IP from), and passes it to the configured DHCP server. You need an enterprise-class DHCP server for this, like ISC dhcpd or Windows Server's DHCP service, amongst others. DHCP servers in firewalls and home network devices typically don't support this.

Pretty good explanation of DHCP relay here:
http://www.serverwatch.com/tutorials/article.php/2193031